Privacy Policy | Alternativa LLC
Download the catalog
8 (495) 363-29 41 info@alternativa-group.ru
Download the catalog
Download the catalog
8 (495) 363-29 41 info@alternativa-group.ru

PERSONAL DATA PROTECTION AND PROCESSING POLICY

of Alternativa Limited Liability Company (hereinafter referred to as “Alternativa LLC”)

1.General Provisions

1.1. This Personal Data Processing Policy (hereinafter referred to as the “Policy”) has been developed in accordance with Clause 2 of Article 18.1 of Federal Law No. 152 dated July 27, 2006 “On Personal Data” (hereinafter referred to as the “Personal Data Law”), as well as other regulatory legal acts in the field of personal data protection and processing, and applies to all personal data (hereinafter referred to as “Data”) that the Organization (hereinafter referred to as the “Operator”, the “Company”) may obtain from a personal data subject who is a party to a civil law contract, as well as from a personal data subject who is in labor relations with the Operator (hereinafter referred to as the “Employee”).

1.2. The Operator ensures the protection of processed personal data against unauthorized access and disclosure, unlawful use or loss in accordance with the requirements of the Personal Data Law.

1.3. Amendment of the Policy

1.3.1. The Operator has the right to amend this Policy. When amendments are made, the date of the latest revision shall be indicated in the title of the Policy. The new version of the Policy shall enter into force from the moment it is published on the website, unless otherwise provided by the new version of the Policy.

2. Terms and Definitions

Personal Data – any information relating to a directly or indirectly identified or identifiable natural person (the personal data subject).

Personal Data Operator (Operator) – a state authority, municipal authority, legal entity or individual that independently or jointly with others organizes and/or carries out the processing of personal data, and determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data.

Processing of Personal Data – any action (operation) or set of actions (operations) performed with personal data with or without the use of automation tools. Processing of personal data includes, inter alia:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • extraction;
  • use;
  • transfer (distribution, provision, access);
  • anonymization;
  • blocking;
  • deletion;
  • destruction.

Automated Processing of Personal Data – processing of personal data using computing equipment.

Distribution of Personal Data – actions aimed at disclosure of personal data to an indefinite number of persons.

Provision of Personal Data – actions aimed at disclosure of personal data to a specific person or a specific group of persons.

Blocking of Personal Data – temporary suspension of processing of personal data (except in cases where processing is necessary to clarify personal data).

Destruction of Personal Data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the material media of personal data are destroyed.

Anonymization of Personal Data – actions as a result of which it becomes impossible, without the use of additional information, to determine the ownership of personal data by a specific personal data subject.

Personal Data Information System – a set of personal data contained in databases and information technologies and technical means ensuring their processing.Cross-Border Transfer of Personal Data – transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual or a foreign legal entity.

3. Procedure and Conditions for Processing and Storage of Personal Data

3.1. Processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

3.2. Processing of personal data is carried out with the consent of personal data subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.

3.3. The Operator carries out both automated and non-automated processing of personal data.

3.4. Employees of the Operator whose official duties include the processing of personal data are allowed to process personal data.

3.5. Processing of personal data is carried out by:

  • obtaining personal data orally and in writing directly with the consent of the personal data subject to the processing of their personal data;
  • obtaining personal data from publicly available sources;
  • entering personal data into journals, registers and information systems of the Operator;
  • using other methods of processing personal data.

3.6. Disclosure to third parties and distribution of personal data without the consent of the personal data subject is not allowed, unless otherwise provided by federal law.

3.7. Transfer of personal data to inquiry and investigation authorities, the Federal Tax Service, the Pension Fund, the Social Insurance Fund and other authorized executive authorities and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

3.8. The Operator takes the necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, distribution and other unauthorized actions, including:

  • identifying threats to the security of personal data during their processing;
  • adopting local regulatory acts and other documents regulating relations in the field of personal data processing and protection;
  • appointing persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
  • creating the necessary conditions for working with personal data;
  • organizing the accounting of documents containing personal data;
  • organizing work with information systems in which personal data are processed;
  • storing personal data under conditions ensuring their safety and preventing unauthorized access;
  • organizing training of the Operator’s employees involved in personal data processing.

3.9. The Operator stores personal data in a form that allows identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the storage period is established by federal law or contract.

3.10. When collecting personal data, including via the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification) and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases specified in the Personal Data Law.

3.11. Purposes of Personal Data Processing

3.11.1. Only personal data that meet the purposes of their processing are subject to processing.

3.11.2. The Operator processes personal data for the following purposes:

  • ensuring compliance with the Constitution, federal laws and other regulatory legal acts of the Russian Federation;
  • carrying out activities in accordance with the Charter of Alternative LLC;
  • maintaining personnel records;
  • assisting employees in employment, education and career advancement; ensuring the personal safety of employees; monitoring the quantity and quality of work performed; ensuring the safety of property;
  • attracting and selecting candidates for employment with the Operator;
  • organizing individual (personalized) registration of employees in the compulsory pension insurance system;
  • completing and submitting required reporting forms to executive authorities and other authorized organizations;
  • carrying out civil law relations;
  • maintaining accounting records;
  • ensuring access control.

3.11.3. Processing of employees’ personal data may be carried out exclusively for the purposes of ensuring compliance with laws and other regulatory legal acts.

3.12. Categories of Personal Data Subjects

The Operator processes personal data of the following categories of personal data subjects:

  • individuals in labor relations with the Company;
  • individuals dismissed from the Company;
  • individuals who are job candidates;
  • individuals in civil law relations with the Company.

3.13. Personal Data Processed by the Operator

  • data obtained in the course of labor relations;
  • data obtained for the purpose of selecting candidates for employment;
  • data obtained in the course of civil law relations.

3.14. Storage of Personal Data

3.14.1. Personal data of subjects may be obtained, further processed and transferred for storage both on paper and in electronic form.

3.14.2. Personal data recorded on paper media are stored in locked cabinets or in locked premises with restricted access rights.

3.14.3. Personal data of subjects processed using automation tools for different purposes are stored in different folders.

3.14.4. Storage and placement of documents containing personal data in open electronic catalogs (file-sharing services) in personal data information systems is not allowed.

3.14.5. Personal data are stored in a form that allows identification of the personal data subject no longer than required by the purposes of their processing and are subject to destruction upon achievement of processing purposes or in case the need to achieve them is lost.

3.15. Destruction of Personal Data

3.15.1. Destruction of documents (media) containing personal data is carried out by burning, shredding, chemical decomposition, or converting into an amorphous mass or powder. Use of a shredder is permitted for destruction of paper documents.

3.15.2. Personal data on electronic media are destroyed by erasure or formatting of the media.

3.15.3. The fact of destruction of personal data is documented by an act of destruction of the media.

4. Protection of Personal Data

4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS) consisting of legal, organizational and technical protection subsystems.

4.2. The legal protection subsystem is a set of legal, organizational-administrative and regulatory documents ensuring the creation, functioning and improvement of the PDPS.

4.3. The organizational protection subsystem includes organization of the PDPS management structure, authorization system, and protection of information when working with employees, partners and third parties.

4.4. The technical protection subsystem includes a set of technical, software and hardware tools ensuring the protection of personal data.

4.5. Main Measures for the Protection of Personal Data Used by the Operator

4.5.1. Appointment of a person responsible for personal data processing, who organizes personal data processing, training and instruction, and internal control over compliance by the institution and its employees with personal data protection requirements.

4.5.2. Identification of актуальных (relevant) threats to the security of personal data during their processing in personal data information systems and development of measures and activities for personal data protection.

4.5.3. Development of a personal data processing policy.

4.5.4. Establishment of access rules to personal data processed in personal data information systems, and registration and accounting of all actions performed with personal data in such systems.

4.5.5. Establishment of individual access passwords for employees in the information system in accordance with their job duties.

4.5.6. Use of information security tools that have passed the conformity assessment procedure in accordance with established procedure.

4.5.7. Certified antivirus software with regularly updated databases.

4.5.8. Compliance with conditions ensuring the safety of personal data and preventing unauthorized access to them.

4.5.9. Detection of facts of unauthorized access to personal data and taking measures.

4.5.10. Restoration of personal data modified or destroyed due to unauthorized access.

4.5.11. Training of the Operator’s employees directly involved in personal data processing in the provisions of the legislation of the Russian Federation on personal data, including personal data protection requirements, documents defining the Operator’s policy in the field of personal data processing, and local acts on personal data processing issues.

4.5.12. Internal control and audit.

5. Main Rights of the Personal Data Subject and Obligations of the Operator

5.1. Main Rights of the Personal Data Subject

The personal data subject has the right to access their personal data and the following information:

  • confirmation of the fact of personal data processing by the Operator;
  • legal grounds and purposes of personal data processing;
  • purposes and methods of personal data processing used by the Operator;
  • name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Operator or on the basis of federal law;
  • processing periods of personal data, including storage periods;
  • procedure for exercising the rights of the personal data subject provided for by this Federal Law;
  • name or full name and address of the person processing personal data on behalf of the Operator, if processing has been or will be entrusted to such a person;
  • contacting the Operator and sending requests to it;
  • appealing actions or inaction of the Operator.

5.2. Obligations of the Operator

The Operator is obliged to:

  • provide information on personal data processing when collecting personal data;
  • notify the personal data subject in cases where personal data were not obtained from the subject;
  • explain the consequences of refusal to provide personal data to the subject;
  • publish or otherwise ensure unrestricted access to the document defining its policy in relation to personal data processing and to information on implemented requirements for personal data protection;
  • take necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, and other unlawful actions;
  • respond to requests and appeals of personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.